Assessing technical risk in information technology service management using visual pattern recognition

ABSTRACT

A computer system, non-transitory computer storage medium, and a computer-implemented method of assessing technical risk using visual pattern recognition in an Information Technology (IT) Service Management System. A data visualization engine and a time series generation engine receive the operational data, respectively. A first representation of the data is generated by the data visualization engine, and a second representation of the data is generated by the time series generation engine. Anomaly patterns are identified by a pattern recognition engine configured to perform feature extraction and data transformation. An ensembler is configured to accept the outputs from two AI anomaly engines and make a final decision of whether anomaly patterns are captured. Risk scores based on the identified anomaly patterns are output by a pattern recognition engine to an automated management system. The anomalies includes information regarding vulnerabilities of devices or components of the IT Service Management System.

BACKGROUND Technical Field

The present disclosure generally relates to risk assessment in computeroperations and technical services. More particularly, the presentdisclosure relates to the application of pattern recognition to assesstechnical risks in Information Technology (IT) service management.

Description of the Related Art

Today, IT systems are part of the backbone of operations in a growingnumber of fields. As a result, there is an increased emphasis in riskassessment of failures or incidents in an IT service system that canadversely impact operations and running processes. In a non-limitingexample, risk assessment in IT service management may be performedregarding server availability, storage capacity, or othervulnerabilities.

SUMMARY

According to various embodiments, a computing system, a non-transitorycomputer readable storage medium, and a method are provided to assesstechnical risk in an IT service management system using visual patternrecognition and artificial intelligence (AI). The use of visual patternrecognition according to the present disclosure is applicable acrossdomains other than IT service management.

According to an embodiment, a computing system includes a processor anda plurality of engines. The plurality of engines is configured toperform acts, including receiving an operational data of a system beingmonitored by a data visualization engine and a time series generationengine. The operational data is processed by the data visualizationengine to create a first representation of the operational data. Theoperational data is also processed by the time series generation engineto create a second representation of the operational data. An AIcomponent of the pattern recognition engine receives the firstrepresentation of the operational data and the second representation ofthe operational data, and performs feature extraction and datatransformation on the respective first representation of the operationaldata and the second representation of the operational data. The firstrepresentation of the operational data and the second representation ofthe operational data are scanned to identify respective anomaly patternsby the first AI anomaly identification engine and the second AI anomalyidentification engine respectively. An ensembler is configured to rendera decision as to whether the identified anomaly patterns in the firstrepresentation of the operational data and the second representation ofthe operational data are associated with vulnerabilities of devices orcomponents in the system being monitored. The decision rendered by theensembler is output to an output node.

In one embodiment, the pattern recognition engine includes at least twoartificial intelligence (AI) engines.

A first AI anomaly engine includes a convolutional neural network (CNN)system configured to identify anomaly patterns of the visualizedoperational data generated by the data visualization engine. A second AIanomaly engine includes a Long Short-Term Memory (LS™) model configuredto identify anomaly patterns from the time series data generated by thetime series generation engine. The ensembler is configured to receiveoutputs of the first AI anomaly engine and the second AI anomaly engine.

In one embodiment, the pattern recognition of anomalies of theoperational data processed by the data visualization engine and the timeseries generation engine are output to an Information Technology (IT)service management system. The anomalies are vulnerabilities of devicesor components in the IT service management system.

In one embodiment, the pattern recognition engine performs the datatransformation by at least one of a Fast Fourier Transform, binning, ornormalization. In one embodiment, a machine learning model is created bythe computing device during a training phase, in which the computingdevice is configured to analyze historical patterns of analytical visualcharts generated by the data visualization engine; and to analyzehistorical patterns of time series data generated by the time seriesgeneration engine. The machine learning model is further configured tolabel historical patterns of analytical visual charts and historicalpatterns of time series data as being anomalies according topredetermined criteria.

According to one embodiment, a non-transitory computer readable storagemedium tangibly embodying a computer readable program code havingcomputer readable instructions that, when executed, causes a computerdevice to carry out a method of assessing technical risk using visualpattern recognition and pattern recognition of time series data. Themethod includes the operations of processing a same operational data ofa system being monitored by a data visualization engine and a timeseries generation engine, respectively, to create two representationsfrom the operational data. The data visualization engine generates afirst representation of the operational data comprising analyticalvisual charts including visualized operational data. The time seriesgeneration engine generates a second representation of the operationaldata comprising patterns of time series data.

A pattern recognition engine identifies anomaly patterns in the firstrepresentation of the operational data and the second representation ofthe operational data, respectively. A decision is rendered as to whetherthe identified respective anomaly patterns in the first representationof the operational data and the second representation of the operationaldata are associated with vulnerabilities of devices or components in thesystem being monitored. The decision is output to an output node.

In one embodiment, the assessing of technical risk using visual patternrecognition is performed on an Information Technology (IT) servicemanagement system.

In one embodiment, a computer-implemented method of risk assessmentutilizing visual pattern recognition includes receiving the sameoperational data by a data visualization engine and a time seriesgeneration engine. The data visualization engine generates visualanalytic charts of the operational data, and the time series generationengine generates a time series representation of the same operationaldata. A pattern recognition engine performs feature extraction and datatransformation on the visual analytic charts and the time seriesrepresentation of the operational data. A first Artificial Intelligence(AI) engine includes a convolutional neural network system, andidentifies anomaly patterns from the visualized analytic charts. Asecond AI anomaly engine including a Long Short-Term Memory (LSTM) modeland identifies anomaly patterns from the time series representation ofthe operational data. An ensembler receives outputs of the first AIanomaly engine and the second AI anomaly engine and renders a decisionas to whether the outputs of the first AI anomaly engine and the secondAI anomaly engine comprise anomaly patterns associated withvulnerabilities of device or components in a system being monitored. Therisk assessment engine that receives the decision from the ensembler asto whether the outputs of the first AI anomaly engine and the second AIanomaly engine includes anomaly patterns, and outputs risk scores thatidentify vulnerabilities of devices or components in an InformationTechnology service management system. The risk scores can be output to auser interface (UI).

In one embodiment, the performing of feature extraction and datatransformation on the visual analytic data and the time series dataincludes performing at least one of a dimensionality reduction, a FastFourier Transformation on time series data, or a calculating of anatural logarithm of the operational data.

These and other features will become apparent from the followingdetailed description of illustrative embodiments thereof, which is to beread in connection with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings are of illustrative embodiments. They do not illustrate allembodiments. Other embodiments may be used in addition or instead of theillustrated embodiments herein. Details that may be apparent orunnecessary may be omitted to save space or for more effectiveillustration. Some embodiments may be practiced with additionalcomponents, operations and/or without all the components or operationsthat are illustrated. When the same numeral appears in differentdrawings, it refers to the same or like components or steps.

FIG. 1 illustrates an example architecture of a computing systemconfigured to assess technical risk, consistent with an illustrativeembodiment.

FIGS. 2A and 2B are graphical representations of CPU usage by a datavisualization engine utilizing a Fast Fourier Transformation, consistentwith an illustrative embodiment.

FIG. 2C illustrates an example of a pattern recognition engine thatidentifies anomaly patterns from visualized operational data utilizing aConvolutional Neural Network (CNN), consistent with an illustrativeembodiment.

FIGS. 3A and 3B are images of periodic peaks for network throughputgenerated by a data visualization engine that utilizes a naturallogarithm of time series data generated by the time series generationengine, consistent with an illustrative embodiment.

FIG. 3C is an illustration of the second AI anomaly engine of thepattern recognition engine having a Long Short-Term Memory (LSTM) modelthat identifies anomaly patterns from time series data, consistent withan illustrative embodiment.

FIG. 4 illustrates an example of a problematic time series chart havinganomaly patterns from time series data, consistent with an illustrativeembodiment.

FIG. 5 is a block diagram of the operation of a risk assessment engineassigning a risk score to time series data, consistent with anillustrative embodiment.

FIG. 6 is an illustration of active learning based classification fornew or unrecognized visual patterns, consistent with an illustrativeembodiment.

FIG. 7 is a flowchart illustrating an operation of assessing technicalrisk using visual pattern recognition, consistent with an illustrativeembodiment.

FIG. 8 is a functional block diagram illustration of a computer hardwareplatform that can communicate with various networked components,consistent with an illustrative embodiment.

FIG. 9 depicts a cloud computing environment, consistent with anillustrative embodiment.

FIG. 10 depicts abstraction model layers, consistent with anillustrative embodiment.

DETAILED DESCRIPTION

Overview

In the following detailed description, numerous specific details are setforth by way of examples to provide a thorough understanding of therelevant teachings. However, it should be apparent that the presentteachings may be practiced without such details. In other instances,well-known methods, procedures, components, and/or circuitry have beendescribed at a relatively high-level, without detail, to avoidunnecessarily obscuring aspects of the present teachings.

In one aspect, a risk assessment system in IT management may include oneor more processors, and one or more storage devices coupled to the oneor more processors. Through the use of two different engines (e.g., adata visualization engine and a time series engine) operational data isanalyzed for different types of anomalies to assess a technical risk offailure. The two different engines create two representations of thesame operational data. For example, a data visualization enginegenerates visual charts based on the operational data, while a timeseries generation engine generates time series data that is based on thesame operational data used to generate the visual charts. A patternrecognition engine includes a feature extraction and transformationengine that extracts and transforms the operational data received fromthe data visualization engine and the time series engine. Two ArtificialIntelligence (AI) engines respectively identify anomaly patterns ornormal operational data in the transformed visualization data or thetransformed time series data. An ensembler renders a final decision asto whether the outputs of the two AI engines are anomaly patterns. Theensembler, in one embodiment, includes algorithms that perform machinelearning techniques that may improve accuracy of predictions, andoutputs the anomaly patterns to a risk assessment engine to generaterisk scores that are provided to a User Interface (UI). The ensemblermay perform a voting operation regarding anomaly patterns received frommore than one engine or view of operational data. In such a case, atraining data subset may be utilized for training various classifiers ofa same type. The classifiers may be combine by a majority vote of theclassifier decisions. Thus, the particular class that is identified by alargest number of classifiers can be the (final) decision by theensembler.

By virtue of the concepts discussed herein, some aspects of the presentdisclosure provide for a more accurate operation to automatically assesstechnical risk in real time utilizing operational data that is processedusing capabilities of both time series and visual analytical charts toidentify anomalies associated with high risk systems in IT servicemanagement from two representations of the same operational data. Inaddition, embodiments of the present disclosure provide for an improvedcomputer operation as a more efficient training of risk assessmentmodels based on the at least two representations of the same operationaldata creates a more accurate machine learning model with feweriterations that reduces processing overhead, saves power, and conservesprocessing use.

Example Architecture

FIG. 1 illustrates an example architecture 100 of a computing systemconfigured to assess technical risk consistent with an illustrativeembodiment. In an illustrative embodiment, the computing system is an ITservice management system, and risk assessment is performed in real timeutilizing operational data. For example, an IT service management systemhaving the example architecture 100 shown in FIG. 1 can provideproactive issue prediction in addition to, or place of, reactivemonitoring. However, it is to be understood that the teachings of thepresent disclosure and the practice of the appended claims are notlimited to IT service management and can be applied across otherdomains.

A database 105 stores operational data regarding, for example, CPUusage, memory usage, incident tickets, user requests, automaticallygenerated requests, etc. In one example, the CPU usage and memory usagecan be expressed as overall percentages of use relative to capacity. Inanother example, incident tickets can include information regardingfailed operations performed in response to user requests or automatedrequests. An ongoing history of successful operations may also be storedin the database 105. The aforementioned items, as well as other types ofdata associated with the operation of a computing system (e.g., numberof retries), may constitute categories of raw data that can be analyzedto provide analytical information to identify issues (e.g., issuedetection). In an illustrative embodiment, the issue detection caninclude identifying the most vulnerable (e.g., at risk) devices and/orcomponents in the IT service management system according topredetermined criterion of the analysis of the raw data.

With continued reference to FIG. 1, a plurality of engines 107 includinga data visualization engine 110 and a time series generation engine 115both receive at least some of the operational data stored in database105. The operational data received by both the data visualization engine110 and time series generation engine 115, respectively, is the sameoperational data.

The data visualization engine 110 processes the operational data fromdatabase 105 to provide visual analytical charts based on the analysisperformed. For example, the visual analytical charts may include linecharts produced from analyzing CPU usage at predetermined intervals overa date range. In another example, the visual charts may include ahistogram including a distribution of various incident tickets (e.g.,server related incident tickets, network related tickets).

The time series generation engine 115 processes the operational datafrom database 105 in a time space over a series of time (as opposed to,for example, a simple snapshot) to provide a sequence of numbers forvarious categories of data operational data. The time series generationengine 115 generates a time series representation of the data.

In an illustrative embodiment, the visualization engine 110 and the timeseries generation engine 115 process the same operational data atsubstantially the same time. Accordingly, two representations of thesame operational data are generated (e.g., analytical charts and timeseries representation).

The pattern recognition engine 120 receives the two representations ofthe operational data from the data visualization engine 110 and the timeseries generation engine 115. The pattern recognition engine 120captures anomaly behavior patterns by analyzing the two representations.

The pattern recognition engine 120 includes a feature extraction andtransformation engine 125 that extracts features from the visualanalytical chart(s) provided from the data visualization engine 110. Thefeature extraction and transformation engine 125 then transformsinformation in the visual analytic charts from a time domain to afrequency domain, for example, by a Fast-Fourier transformation. Certainpredetermined features, which may be peaks of a predetermined duration,may be considered key features for extraction.

In addition, the feature extraction and transformation engine 125extracts features from the time series representation of the data, andthen, for example, using a natural log transformation, transforms thetime series data to a new time series data in the natural log format.

The pattern recognition includes at least two anomaly AI engines 130,135 that may receive the transformed information from the featureextraction and transformation engine 125. The anomaly AI engines 130,135 can respectively process the transformed data extracted from featureextraction and transformation engine 125.

For example, the first anomaly AI engine 130 can be embodied as aConvolutional Neural Network (CNN) pattern recognition engine. The firstanomaly AI engine 130 is configured to capture anomaly patterns of thetransformed visual analytic charts.

The second AI anomaly engine 135 can be embodied as a long short-termmemory pattern recognition engine that processes the new time seriesdata output from the feature extraction and transformation engine 125.The second AI anomaly engine 135 is configured to capture anomalypatterns of the transformed time series data (e.g., the new time seriesdata that has undergone a natural log transformation as discussedhereinabove).

The ensembler 140 receives the output of the first AI anomaly engine 130and the second AI anomaly engine 135. In an illustrative embodiment, theensembler 140 may be realized as a voting engine. The ensembler 140analyzes the outputs of the first AI anomaly engine 130 and the secondAI anomaly engine 135 and renders a decision regarding the respectiveanomaly pattern identifications detected by the first AI anomaly engine130 and the second AI anomaly engine 135. The ensembler 140 renders thefinal decision because the AI anomaly engines may provide anomalypattern information that is different, or even partially contradictory.For example, the first AI anomaly engine 130 may output informationindicating no anomaly patterns were captured from the transformed visualanalytic chart(s), whereas the second AI anomaly engine 135 may outputcaptured anomaly patterns. The ensembler 140 renders the final decisionas to whether outputs of the first anomaly 130 and the second AI engine135 comprise anomaly patterns or normal operation based on, for example,at least one of voting or an average. (Is the output of the FeatureExtraction and Transformation engine 125 provided to Ensembler 140 as aninput? If yes, will you provide a description of why and how is thatused? If no, FIG. 1 suggests that is the case.)

With continued reference to FIG. 1, the risk assessment engine 145 isconfigured, for example, to assess the failure risk for a certain deviceor component in the computing system. The risk assessment engine 145 maygenerate risk scores based on the anomaly pattern information receivedfrom the ensembler 140. In an illustrative embodiment, the riskassessment engine 145 may receive performance indicators for a givenmachine/system “M” that have anomalies I₁, I₂, I₃ . . . I_(m). The riskassessment engine 145 may assess the failure risk “r” for machine M asfollows:r=w ₁ I ₁ +w ₂ I ₂ + . . . +w _(m) I _(m)  (Eq. 1)

wherein:

-   -   I₁, I₂, I₃ . . . I_(m) are anomalies of machine M, and    -   w₁, w₂ . . . w_(m) are weights assigned to the respective        anomalies.

Referring to Eq. 1 above, each of the different anomalies (e.g., CPUutilization, storage utilization, retry operations, etc.,) arepredefined and may be associated with a particular identifier (I₁, I₂),and a weight is assigned to each predefined anomaly regarding thelikelihood of a decrease in performance or a failure of a machine M. Inthis illustrative embodiment, the risk calculated by the risk assessmentengine 145 is a weighted sum of all the determined anomalies.

The risk assessment engine outputs the calculated risk assessment to theUser Interface (UI) 150. The UI 150 can be communicatively coupled to aserver configured to perform IT service management. The UI 150 can beconfigured to undertake corrective operations associated with variousrisks (e.g., reschedule a time of certain operations due to high CPUutilization or storage use) and/or may provide a notification (outputnode 155) to notify certain users (e.g., supervisors) about the riskassessment. The risk assessment may be in the form of a score, anddepending on the risk score, the UI 150 may be coupled to a number ofusers that receive notification of the risk score. The manner of thenotification can be realized in the form of a message, alarm, etc.).

The output node 155 may be operatively coupled to an automatedmanagement system, for example, an IT Server Management System. Theoutput node 155 can receive commands/instructions from the IT ServerManagement System that is forwarded to the UI 150 for execution. Thecommands/instructions can be actions to preempt an operational failureby shifting certain operations to other devices or components becausethe risk score can be associated with vulnerabilities of currently useddevices or components.

It is to be understood that the aforementioned description withreference to FIG. 1 is directed to an active phase of a system operationand computer-implemented method of assessing technical risk of thepresent disclosure. As seen in FIG. 1, there is also an active learningcycle (i.e., a training phase) in which, for example, historical datamay be provided to train the machine. For example, during the trainingphase, the risk assessment engine may receive unrecognized patterns, andthose patterns can be labeled by a Subject Matter Expert (SME) 165 andprovided to the pattern recognition engine 120 as labeled patterns 170.

The labeled patterns 170 enhance the operation of the risk assignmentengine 145 to assign a weight to the labeled patterns so that thefailure risk can be accurately calculated. For example, assuming aweight scale from 0 to 1.0 correlating to failures ranging fromtemporary errors to catastrophic failures, the SME can assign a weightto the retries of writing data to storage at 0.2 if it is below acertain threshold, and increase the weight to 0.4 if over the thresholdby an amount determined by the knowledge of the SME. The labeling ofCPU-related anomalies may have a weight, for example, of 0.8, as theremay be an increased risk of a catastrophic failure with CPU anomalies.In some embodiments, there can be one or more SMEs 165 realized as anautomated program in which historical data is analyzed to assign weightsto the unrecognized patterns 160. For example, unrecognized patterns ofanomalies regarding CPU usage can be compared with labeling data ofrecognized patterns of CPU usage and an extrapolation performed tocreate a label for the unrecognized patterns.

It is to be understood that the concepts of the present disclosure arebroader than the illustrative embodiments discussed herein. For example,the pattern recognition engine 120 shown in FIG. 1 may have more thantwo AI anomaly engines. In addition, the AI anomaly engines 130, 135 canbe configured to process the transformed data received from the featureextraction and transformation engine 125 in different manners thandisclosed in the embodiment herein above.

FIGS. 2A and 2B illustrate a graphical representation of an output ofthe Data Visualization Engine 110, in accordance with an illustrativeembodiment. FIG. 2A shows the CPU usage as a stacked percentile afterperforming a Fast Fourier Transformation, and FIG. 2B shows the CPUusage peaks. Visualization data in the form of analytic charts such asshown in FIGS. 2A and 2B are provided to the feature extraction andtransformation module 125 for processing, and is output to the AIanomaly Engine 130. The Fast Fourier Transform is utilized to generateimages in the frequency space. The use of the Fast Fourier Transformseparates the system behavior from data noise. For example, referring toFIGS. 2A and 2B, the low frequency data is from the system behaviorwhile high frequency data is from data noise. In this embodiment, AIanomaly engine 130 is a CNN system that identifies anomaly patterns fromthe visualization data that is discussed in more detail herein belowwith reference to FIG. 2C.

FIG. 2C shows an example of a pattern recognition engine in 200C (thatcan be used to implement the AI anomaly engine 130 of FIG. 1),consistent with an illustrative embodiment. In this example, a CNN modelis used. Below each box of the items of the conventional neural networkis a corresponding representation of the input images and alternatinglayers. The CNN model is a deep learning forward feed network thatalternates between convolutional layers 210 and max-pooling layers 220.The CNN model is topped by a fully connected layer 230 that is alearning function of combinations of the features of the convolutionallayers 210. A softmax layer 240 is used in a final layer of a neuralnetwork-based classifier, and an output label 250 can provide aclassification. The input images 205 are visualization data (e.g.,visualized operational data of CPU usage, storage usage, etc.) that areanalyzed to identify anomaly patterns.

Referring back to FIG. 1, with regard to AI anomaly engines 130 and 135,the CNN of AI engine 130 is one of at least two kinds of deep learningused to identify anomaly patterns from the original time series data. InAI anomaly engine 135, a second kind of deep learning (e.g., an LSTMModel) that identifies anomaly patterns from the original time seriesdata is discussed herein below.

FIGS. 3A and 3B are images of periodic peaks for network throughput 300Aand the natural log of the throughput 300B ((ln)throughput) generated bythe Time Series Generation Engine 115 in FIG. 1) of the patternrecognition engine 125, consistent with an illustrative embodiment. AIanomaly engine 135 identifies anomaly patterns in data generated by thetime series generation engine. Inside the pattern recognition engine 120(FIG. 1), there is a feature extraction and transformation engine 125that extracts predetermined features (e.g., “key” features) from thetime series representation of the data, then using natural logs (e.g.,natural log transformation) transforms the time series data to a newtime series data. The new time series data is then received by AIanomaly engine 135 (e.g., an LSTM recognition engine) and anomalypatterns are captured.

FIG. 3C an example of a pattern recognition engine in 300C (that can beused to implement the second AI anomaly engine 135 of FIG. 1),consistent with an illustrative embodiment. An LSTM model identifiesanomaly patterns from time series data, consistent with an illustrativeembodiment. With reference to FIG. 3C, an example of operational datafor illustrative purposes includes the average CPU usage per five minuteintervals (305), which is input to the LSTM Pattern Recognition engine310. A pattern of neurons 315-1, 315-2 . . . 315 n−1, 315 n are shown,with each neuron receiving one of the average CPU usage (x1, x2, x3)data and the output of the previous neuron 315. The LSTM PatternRecognition engine 310 provides an output to node 320. The internalstructure 325 of one of the LSTM nodes A 315-1 to 315-n is shown to theright of the LSTM Pattern Recognition Engine. It can be seen from theimage of the internal structure 325 of one of the LSTM nodes A receivesthe state S_(t-1) and output O_(t-1) of the previous neuron 315. TheLSTM includes a forget gate 326 to discard long term dependencies, astate update gate 328 that stores an updated state, and an outputnetwork gate 330 that provides an output of the updated state to thenext neuron 315.

The output node 320 from the LSTM pattern recognition engine 310 can beconnected to an input of the ensembler 140 (see FIG. 1, item 140). Theensembler 140 receives either a captured anomaly pattern or anindication that the operational data is normal from the second AI engineanomaly 135. The ensembler 140 also receives a captured anomaly patternor an indication that the operational data is normal from the first AIanomaly engine 130, finalizes a decision as to whether there is ananomaly that has been captured in at least one AI anomaly engine 130,135, and outputs the data to the risk assessment engine 145.

FIG. 4 illustrates an example of a problematic time series chart havinganomaly patterns from time series data, consistent with an illustrativeembodiment. FIG. 4 shows patterns of a periodic peak 410, a suddenincrease 420, a sudden increase then a decrease 430, and a gradualincrease 440. For example, the sudden increase then decrease 430 on theright-hand side of the graph does not return to previous levels of theleft-hand side of the graph. Thus, the sudden increase then decrease 430may be indicative of an anomaly such as a problem with a component. Thegradual increase 440 may be indicative that there is, for example, anincrease in storage utilization. These anomaly patterns are all assigneda risk score from the risk assessment engine 145 of FIG. 1. An ITmanagement system may apply corrective action(s) proactively based onthe risk assessment scores of the anomaly patterns to preempt adegradation or failure of an operation.

FIG. 5 is a block diagram of the operation of a risk assessment engine500 assigning a risk score to time series data that can be used toimplement the risk assessment engine 145 of FIG. 1, consistent with anillustrative embodiment. An input 505 is received by an ensembler 140.At 510, the risk assessment engine 145 analyzes performance indicatorsfor a machine/system M having anomalies I₁, I₂ . . . I_(m). At 515, therisk assessment engine calculates a failure risk for machine/system M byassigning weights (or retrieving previously assigned weights) to eachtype of the anomalies I_(m). The anomalies have recognized patternswhich have been previously assigned weights during a training phase, andcan be arranged in a storage table. In this illustrative example, therisk is determined by Eq. 1 previously discussed herein above(r=w₁I₁+w₂I₂+ . . . +w_(m)I_(m) (Eq. 1)). At output 520 the riskassessment engine 145 outputs the risk assessment to a user interface150 of, for example, an IT service management system. The IT servicemanagement system is configured to determine whether to take correctiveaction in a proactive manner.

FIG. 6 illustrates a conceptual block diagram 600 of an active learningphase based classification for new or unrecognized visual patterns,consistent with an illustrative embodiment. There is shown labeled setof time series charts 605, an SME 610, and unlabeled set of time seriescharts 615. The labeled set of time series charts 605 is training data,which can be historical data. A multi-label classifier 620 is trainedbased on the training data. The multi-label classifier 620 can predictlabels for the unlabeled time series charts 615 based on historicaldata. For example, there can be time series charts associated withhistorical data of previous component failures, and based on acomparison of the historical data, the multi-label classifier canpredict a label that is a closest match to previously labeled timeseries charts, and the SME 650 can validate labels {l₁, l₂, . . . ,l_(n)} for the unlabeled time series charts 615. The training data(represented by the labeled set of time series charts 605) is updatedwith the time series charts 605 and the validated labels {l_(i), l_(j),. . . , l_(n)}. The multi-label classifier 620 can be retrained in thefuture using additional unlabeled time series charts during anotheractive training phase.

Example Process

With the foregoing overview of the example architecture 100, it may behelpful now to consider a high-level discussion of example processes. Tothat end, FIG. 7 presents an illustrative process related to variousaspects of assessing technical risk utilizing visual patternrecognition. Process 700 is illustrated as a collection of blocks in alogical flowchart, which represent a sequence of operations that can beimplemented in hardware, software, or a combination thereof. In thecontext of software, the blocks represent computer-executableinstructions that, when executed by one or more processors, perform therecited operations. Generally, computer-executable instructions mayinclude routines, programs, objects, components, data structures, andthe like that perform functions or implement abstract data types. Theorder in which the operations are described is not intended to beconstrued as a limitation, and any number of the described blocks can becombined in any order and/or performed in parallel to implement theprocess. For discussion purposes, the process 700 is described withreference to the architecture 100 of FIG. 1.

FIG. 7 is a flowchart 700 illustrating an operation of assessingtechnical risk using visual pattern recognition, consistent with anillustrative embodiment.

At operation 705, the same operational data is processed by a datavisualization engine 110 and a time series generation engine 115. Theoperational data may be historical data over a certain range of time forparticular characteristics, such as CPU usage, storage usage, incidenttickets, etc.

At operation 710, the data visualization engine 110 generates visualcharts. An example of a visual chart can be a chart of peaks of CPUusage. At operation 715, patterns of time series data may be generatedby the time series generation engine 115. It is to be understood thatoperations 710 and 715 may be performed substantially simultaneously. Itis noted that a specific order is not required regarding the generationof visual charts and time series data.

At operation 720, a pattern recognition engine analyzes the datagenerated by each of the data visualization engine and time seriesgeneration engine to extract certain features. A Fast Fourier Transformcan be used to transform the data from time space to frequency space sothat an AI anomaly engine (such as AI anomaly engines 130, 135) cancapture anomaly patterns.

At operation 725, an ensembler decides whether the captured patterns arein fact anomaly patterns. If the ensembler decides there are anomalypatterns, such anomaly patterns are output to the risk assessment engineto calculate a risk score for a service management system, such as a UIfor an IT service management system. The IT service management systemmay then perform proactive operations to prevent a hard failure.

If the ensembler decides there are no anomaly patterns, the captureddata may be stored, and the ensembler then will perform operation 720 ona subsequent data group output from the AI engines to determine whetherthere are anomaly patterns.

Example Computer Platform

As discussed above, functions relating to performing technical riskassessment utilizing visual pattern recognition can be performed withthe use of one or more computing devices connected for datacommunication via wireless or wired communication, as shown in FIG. 1and in accordance with the process shown in FIG. 7. FIG. 8 provides afunctional block diagram illustration of a computer hardware platformthat is capable of performing risk assessment using visual recognition,as discussed herein. In particular, FIG. 8 illustrates a network or hostcomputer platform 800, as may be used to implement an appropriatelyconfigured server, such as an IT service management system server.

The computer platform 800 may include a central processing unit (CPU)804, a hard disk drive (HDD) 806, random access memory (RAM) and/or readonly memory (ROM) 808, a keyboard 810, a mouse 812, a display 814, and acommunication interface 816, which are connected to a system bus 802.

In one embodiment, the HDD 806, has capabilities that include storing aprogram that can execute various processes, such as a module for visualrecognition of risk assessment 840, in a manner described herein. TheVisual Recognition of Risk Assessment 840 may have variousmodules/sub-modules configured to perform different functions.

An interaction module 842 is operative to receive electronic data fromvarious sources, including an operational database and data provided viacloud computing. The interaction module 842 may also be configured topresent risk assessment results to a UI 150 or output 155. The datavisualization engine 844 is configured to generate analyticalinformation in the form of visual charts as discussed herein above. Thetime series generation engine 846 is configured to generate time seriesdata as discussed herein above.

The pattern recognition engine 848 can include the feature extractionand transformation engine 849 to extract features output in data by thevisualization and time series generation engines, 844, 846, andtransform the data from time space to frequency space, for example, byperforming a Fast Fourier Transform. AI anomaly Engine1 850 and AIanomaly Engine2 852 identify anomaly patterns in the transformed data ofthe visualization and time series generation engines, 844, 846. Riskassessment engine 854 receives the captured anomaly data (or anotification that no anomaly data was detected) from the AI anomalyEngine1 850 and the AI anomaly Engine2 852, and may output the resultsto, for example, the UI of an IT management server via interactionmodule 842.

The machine learning engine 856 is configured to train, for example, theAI anomaly Engines 850, 852 during an active training phase, and duringsubsequent retraining/updated training.

In one embodiment, a program, such as Apache™, can be stored foroperating the system as a Web server. In one embodiment, the HDD 806 canstore an executing application that includes one or more librarysoftware modules, such as those for the Java™ Runtime Environmentprogram for realizing a JVM (Java™ virtual machine).

Example Cloud Platform

As discussed above, functions relating to performing technical riskassessment using visual recognition may include a cloud 900 (see FIG.9). It is to be understood that although this disclosure includes adetailed description on cloud computing, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the present disclosure are capable of being implementedin conjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g., networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported, providing transparency for both theprovider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure that includes anetwork of interconnected nodes.

Referring now to FIG. 9, an illustrative cloud computing environment 900is depicted. As shown, cloud computing environment 900 includes one ormore cloud computing nodes 910 with which local computing devices usedby cloud consumers, such as, for example, personal digital assistant(PDA) or cellular telephone 954A, desktop computer 954B, laptop computer954C, and/or automobile computer system 954N may communicate. Nodes 910may communicate with one another. They may be grouped (not shown)physically or virtually, in one or more networks, such as Private,Community, Public, or Hybrid clouds as described hereinabove, or acombination thereof. This allows cloud computing environment 950 tooffer infrastructure, platforms and/or software as services for which acloud consumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 954A-Nshown in FIG. 9 are intended to be illustrative only and that computingnodes 910 and cloud computing environment 950 can communicate with anytype of computerized device over any type of network and/or networkaddressable connection (e.g., using a web browser).

Referring now to FIG. 10, a set of functional abstraction layersprovided by cloud computing environment 950 (FIG. 9) is shown. It shouldbe understood in advance that the components, layers, and functionsshown in FIG. 10 are intended to be illustrative only and embodiments ofthe disclosure are not limited thereto. As depicted, the followinglayers and corresponding functions are provided:

Hardware and software layer 1060 includes hardware and softwarecomponents. Examples of hardware components include: mainframes 1061;RISC (Reduced Instruction Set Computer) architecture based servers 1062;servers 1063; blade servers 1064; storage devices 1065; and networks andnetworking components 1066. In some embodiments, software componentsinclude network application server software 1067 and database software1068.

Virtualization layer 1070 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers1071; virtual storage 1072; virtual networks 1073, including virtualprivate networks; virtual applications and operating systems 1074; andvirtual clients 1075.

In one example, management layer 1080 may provide the functionsdescribed below. Resource provisioning 1081 provides dynamic procurementof computing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricing 1082provide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may include applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 1083 provides access to the cloud computing environment forconsumers and system administrators. Service level management 1084provides cloud computing resource allocation and management such thatrequired service levels are met. Service Level Agreement (SLA) planningand fulfillment 1085 provide pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 1090 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation 1091; software development and lifecycle management 1092;virtual classroom education delivery 1093; data analytics processing1094; transaction processing 1095; and performing technical riskassessment using visual recognition 1096, as discussed herein.

CONCLUSION

The descriptions of the various embodiments of the present teachingshave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

While the foregoing has described what are considered to be the beststate and/or other examples, it is understood that various modificationsmay be made therein and that the subject matter disclosed herein may beimplemented in various forms and examples, and that the teachings may beapplied in numerous applications, only some of which have been describedherein. It is intended by the following claims to claim any and allapplications, modifications and variations that fall within the truescope of the present teachings.

The components, steps, features, objects, benefits and advantages thathave been discussed herein are merely illustrative. None of them, northe discussions relating to them, are intended to limit the scope ofprotection. While various advantages have been discussed herein, it willbe understood that not all embodiments necessarily include alladvantages. Unless otherwise stated, all measurements, values, ratings,positions, magnitudes, sizes, and other specifications that are setforth in this specification, including in the claims that follow, areapproximate, not exact. They are intended to have a reasonable rangethat is consistent with the functions to which they relate and with whatis customary in the art to which they pertain.

Numerous other embodiments are also contemplated. These includeembodiments that have fewer, additional, and/or different components,steps, features, objects, benefits and advantages. These also includeembodiments in which the components and/or steps are arranged and/orordered differently.

Aspects of the present disclosure are described herein with reference toa flowchart illustration and/or block diagram of a method, apparatus(systems), and computer program products according to embodiments of thepresent disclosure. It will be understood that each block of theflowchart illustrations and/or block diagrams, and combinations ofblocks in the flowchart illustrations and/or block diagrams, can beimplemented by computer readable program instructions.

These computer readable program instructions may be provided to aprocessor of an appropriately configured computer, special purposecomputer, or other programmable data processing apparatus to produce amachine, such that the instructions, which execute via the processor ofthe computer or other programmable data processing apparatus, createmeans for implementing the functions/acts specified in the flowchartand/or block diagram block or blocks. These computer readable programinstructions may also be stored in a computer readable storage mediumthat can direct a computer, a programmable data processing apparatus,and/or other devices to function in a manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The call-flow, flowchart, and block diagrams in the figures hereinillustrate the architecture, functionality, and operation of possibleimplementations of systems, methods, and computer program productsaccording to various embodiments of the present disclosure. In thisregard, each block in the flowchart or block diagrams may represent amodule, segment, or portion of instructions, which comprises one or moreexecutable instructions for implementing the specified logicalfunction(s). In some alternative implementations, the functions noted inthe blocks may occur out of the order noted in the Figures. For example,two blocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts or carry outcombinations of special purpose hardware and computer instructions.

While the foregoing has been described in conjunction with exemplaryembodiments, it is understood that the term “exemplary” is merely meantas an example, rather than the best or optimal. Except as statedimmediately above, nothing that has been stated or illustrated isintended or should be interpreted to cause a dedication of anycomponent, step, feature, object, benefit, advantage, or equivalent tothe public, regardless of whether it is or is not recited in the claims.

It will be understood that the terms and expressions used herein havethe ordinary meaning as is accorded to such terms and expressions withrespect to their corresponding respective areas of inquiry and studyexcept where specific meanings have otherwise been set forth herein.Relational terms such as first and second and the like may be usedsolely to distinguish one entity or action from another withoutnecessarily requiring or implying any actual such relationship or orderbetween such entities or actions. The terms “comprises,” “comprising,”or any other variation thereof, are intended to cover a non-exclusiveinclusion, such that a process, method, article, or apparatus thatcomprises a list of elements does not include only those elements butmay include other elements not expressly listed or inherent to suchprocess, method, article, or apparatus. An element proceeded by “a” or“an” does not, without further constraints, preclude the existence ofadditional identical elements in the process, method, article, orapparatus that comprises the element.

The Abstract of the Disclosure is provided to allow the reader toquickly ascertain the nature of the technical disclosure. It issubmitted with the understanding that it will not be used to interpretor limit the scope or meaning of the claims. In addition, in theforegoing Detailed Description, it can be seen that various features aregrouped together in various embodiments for the purpose of streamliningthe disclosure. This method of disclosure is not to be interpreted asreflecting an intention that the claimed embodiments have more featuresthan are expressly recited in each claim. Rather, as the followingclaims reflect, the inventive subject matter lies in less than allfeatures of a single disclosed embodiment. Thus, the following claimsare hereby incorporated into the Detailed Description, with each claimstanding on its own as a separately claimed subject matter.

What is claimed is:
 1. A computing system comprising: a processor; aplurality of engines coupled to the processor and configured to performacts, comprising: receive an operational data of a system beingmonitored by a data visualization engine and a time series generationengine of the plurality of engines, respectively; process theoperational data by the data visualization engine to create a firstrepresentation of the operational data; process the operational data bythe time series generation engine to create a second representation ofthe operational data; receive, by a pattern recognition engine of theplurality of engines, the first representation of the operational dataand the second representation of the operational data, and performfeature extraction and data transformation on the respective firstrepresentation of the operational data and the second representation ofthe operational data; identify respective anomaly patterns in thefeature extracted and data transformed first representation and secondrepresentation of the operational data; render, by an ensembler, adecision as to whether the identified anomaly patterns in the featureextracted and data transformed respective first and secondrepresentation of the operational data are associated withvulnerabilities of devices or components in the system being monitored;and output the decision rendered by the ensembler to an output node. 2.The computing system according to claim 1, wherein: the firstrepresentation of the operational data comprises analytical visualcharts including visualized operational data generated by the datavisualization engine, and the second representation of the operationaldata comprises time series data patterns generated by the time seriesgeneration engine.
 3. The computing system according to claim 2, furthercomprising a machine learning model that is configured during a trainingphase to: analyze historical patterns of analytical visual chartsgenerated by the data visualization engine; analyze historical patternsof time series data generated by the time series generation engine; andreceive a label of historical patterns of analytical visual charts andhistorical patterns of time series data as being anomalies according topredetermined criteria.
 4. The computing system according to claim 1,wherein the ensembler is configured to render the decision as to whetherthe identified anomaly patterns are associated with vulnerabilities ofdevices or components in the system being monitored.
 5. The computingsystem according to claim 4, wherein the ensemble is configured toperform a voting operation combining a largest number of classifiersassociated with the anomaly patterns.
 6. The computing system accordingto claim 5, wherein the ensembler is configured to perform the votingoperation to include a weighting system that is assigned to theclassifers associated with the anomaly patterns.
 7. The computing systemaccording to claim 1, further comprising a risk assessment engineconfigured to calculate one or more risk assessment scores associatedwith the vulnerabilities of devices or components in the system beingmonitored, wherein: the risk assessment engine outputs the calculatedone or more risk assessment scores to the output node, and the outputnode comprises an Information Technology (IT) service management system.8. The computing system according to claim 7, wherein the one or morerisk assessment scores are output to a User Interface (UI) incommunication with the output node.
 9. The computing system according toclaim 6, wherein the risk assessment engine assesses risk scores in realtime utilizing the operational data processed by the data visualizationengine and the time series generation engine.
 10. The computing systemaccording to claim 3, wherein: the pattern recognition engine includesat least two artificial intelligence (AI) engines comprising: a firstanomaly AI engine comprising a convolutional neural network (CNN) systemconfigured to identify anomaly patterns of the visualized operationaldata generated by the data visualization engine; and a second AI anomalyengine comprising a Long Short-Term Memory (LS™) model configured toidentify anomaly patterns from the patterns of time series datagenerated by the time series generation engine; and the ensembler isconfigured to receive outputs of the first AI anomaly engine and thesecond AI anomaly engine.
 11. The computing system according to claim10, wherein, during an active phase, patterns of time series dataunidentified by the first AI anomaly engine or patterns of visualanalytical charts unidentified by the second AI anomaly engine arelabeled during a training phase of the machine learning model and outputto the pattern recognition engine.
 12. The computing system according toclaim 10, wherein the pattern recognition engine is configured toperform the data transformation by a Fast Fourier Transform thattransforms the visual analytic charts from a time space to a frequencyspace.
 13. A non-transitory computer readable storage medium tangiblyembodying a computer readable program code having computer readableinstructions that, when executed, causes a computer device to carry outa method of assessing technical risk using visual pattern recognitionand pattern recognition of time series data, the method comprising:processing an operational data of a system being monitored by a datavisualization engine and a time series generation engine, respectively,to create two representations from the operational data; generating, bythe data visualization engine, a first representation of the operationaldata comprising analytical visual charts including visualizedoperational data; generating, by the time series generation engine, asecond representation of the operational data comprising patterns oftime series data; identifying, by a pattern recognition engine, anomalypatterns in the first representation of the operational data and thesecond representation of the operational data, respectively; rendering adecision as to whether the identified respective anomaly patterns in thefirst representation of the operational data and the secondrepresentation of the operational data are associated withvulnerabilities of devices or components in the system being monitored;and outputting the decision to an output node.
 14. The non-transitorycomputer readable storage medium of claim 13, further comprising:calculating, by a risk assessment engine, one or more risk assessmentscores associated with the vulnerabilities of devices or components inthe system being monitored, based on anomaly patterns in the firstrepresentation of the operational data and the second representation ofthe operational data, respectively; and outputting the one or more riskassessment scores to an Information Technology (IT) service managementsystem.
 15. The non-transitory computer readable storage medium of claim14, wherein: the pattern recognition engine includes a first artificialintelligence (AI) anomaly engine comprising a convolutional neuralnetwork (CNN) system, and a second AI anomaly engine comprising a LongShort-Term Memory (LSTM) model; the identifying of anomaly patterns ofthe visualized operational data generated by the data visualizationengine is performed by the first AI engine; and the identifying ofanomaly patterns from the time series data generated by the time seriesgeneration engine is performed by the second AI engine.
 16. Thenon-transitory computer readable storage medium of claim 15, furthercomprising: receiving, by an ensembler, outputs of the first AI anomalyengine and the second AI anomaly engine, wherein the ensembler isfurther configured to render a decision as to whether the outputs of thefirst AI anomaly engine and the second AI anomaly engine compriseanomaly patterns associated with the vulnerabilities of devices orcomponents in the system being monitored, based on a voting operationcombining a largest number of classifiers associated with the anomalypatterns.
 17. The non-transitory computer readable storage medium ofclaim 13, wherein: the pattern recognition engine is configured toperform feature extraction and data transformation of the firstrepresentation of the operational data by the data visualization engine,and the second representation of the operational data by the time seriesgeneration engine, and the pattern recognition engine performs the datatransformation by at least one of a Fast Fourier Transform, binning, ornormalization.
 18. A computer-implemented method of risk assessmentutilizing visual pattern recognition, the computer-implemented methodcomprising: receiving an operational data by a data visualization engineand a time series generation engine; generating, by the datavisualization engine, visual analytic charts of the operational data;generating, by the time series generation engine, a time seriesrepresentation of the operational data; performing, by a patternrecognition engine, feature extraction and data transformation on thevisual analytic charts and the time series representation of theoperational data; identifying, by a first Artificial Intelligence (AI)anomaly engine including a convolutional neural network system, anomalypatterns from the visualized analytic charts; identifying, by a secondAI anomaly engine including a Long Short-Term Memory (LSTM) model,anomaly patterns from the time series representation of the operationaldata; receiving, by an ensembler, outputs of the first AI anomaly engineand the second AI anomaly engine and rendering a decision as to whetherthe outputs of the first AI anomaly engine and the second AI anomalyengine comprise anomaly patterns associated with vulnerabilities ofdevice or components in a system being monitored; rendering, by a riskassessment engine that receives the decision from the ensembler, riskscores associated with the identified vulnerabilities of devices orcomponents in an Information Technology service management system; andoutputting the risk scores to a user interface (UI).
 19. Thecomputer-implemented method according to claim 18, wherein: the patternrecognition engine identifies the anomaly patterns using a firstrepresentation and a second representation of the same operational data,respectively, the performing of feature extraction and datatransformation on the visual analytic data and the time series dataincludes at least one of a dimensionality reduction, a Fast FourierTransformation of the visual analytic data and the time seriesrepresentation of the operational data, or calculating a naturallogarithm of the operational data.
 20. The computer-implemented methodaccording to claim 19, further comprising configuring a machine learningmodel during a training phase to: analyze historical patterns ofanalytical visual charts generated by the data visualization engine;analyze historical patterns of time series data generated by the timeseries generation engine; and receive a label of historical patterns ofanalytical visual charts and historical patterns of time series data asbeing anomalies according to predetermined criteria.